SSL certificate available to IIS but cannot be selected for VPN (Win2022 Server)

aag

3/16/23, 12:56 PM

I have installed a wildcard SSL certificate on a Win2022 Server for use for both web (IIS) and VPN authentication. I let Windows choose the appropriate certificate store, but for good measure I installed the certificate also on LocalMachine. Now, Web serving works just fine. However, the certificate does not appear on the Remote Access Server choice and consequently cannot be selected. Worse, the RAS now complains that the default self-signed certificate is not identical to the IIS SSL and refuses to start. My question is: How can I make the new certificate selectable in the RAS configuration page?

0 + 0

remote-access

windows

windows-server-2022

Greg Askew

3/16/23, 3:17 PM

What are the certificate usages?

aag

3/16/23, 3:29 PM

Proves your identity to a remote computer/ / Ensures the identity of a remote computer / 2.23.140.1.2.1 It's stored under "trusted root certification authority" (Current User)

Greg Askew

3/16/23, 3:41 PM

It needs to be in the Personal store and have the Server Authentication Enhanced Key Usage (EKU) (OID 1.3.6.1.5.5.7.3.1) . https://directaccess.richardhicks.com/2018/07/16/always-on-vpn-ssl-certificate-requirements-for-sstp/

aag

3/16/23, 7:25 PM

thank you very much for your advice; it's highly appreciated. I have copied the certificate to the Personal Store, and I have added the EKU OID to it and to each certificate in its chain-of-trust. I have then restarted the RAS service. However, I still see only the self-signed cert installed automatically and a "default" which cannot be chosen for some reason (it produces an error). What I am missing? :)

aag

3/16/23, 7:29 PM

the info box says: [1]Certificate Policy: Policy Identifier=Server Authentication [1,1]Policy Qualifier Info: Policy Qualifier Id=Root Program Flags Qualifier: c0

aag

3/16/23, 7:48 PM

however, I notice that the entry "Key Usage" (value: "Digital Signature, Key Encipherment (a0)") has an attention sign (yellow triangle with an exclamation mark) on it. Does this mean that something is wrong?

Greg Askew

3/16/23, 9:24 PM

That's an odd assortment of EKU's considering you only need one that isn't present.

aag

3/17/23, 6:23 AM

Dear Greg, thank you - but I don't quite understand. I entered the OID that you kindly specified. Why isn't it present? I thought that the text "Server Authentication" would indicate that it was correctly entered...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSL certificate available to IIS but cannot be selected for VPN (Win2022 Server)

TH: ใบรับรอง SSL พร้อมใช้งานสำหรับ IIS แต่ไม่สามารถเลือกสำหรับ VPN (เซิร์ฟเวอร์ Win2022)

RO: Certificat SSL disponibil pentru IIS, dar nu poate fi selectat pentru VPN (Server Win2022)

RU: SSL-сертификат доступен для IIS, но его нельзя выбрать для VPN (Win2022 Server)

VI: Chứng chỉ SSL có sẵn cho IIS nhưng không thể chọn cho VPN (Máy chủ Win2022)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.